rht
/
ocp-ing-ichp-materials


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203
							---
# Ensures there is an OIDC identity provider configured in OpenShift, that uses
# a client defined in RHBK deployed by the deploy-rhbk role.
#
# Required variables (some are reused from deploy-rhbk role):
#
# openshift:
#   rhbk_client_id:   the name of a client above to use for authentication (default "openshift")
#   create_groups:    whether to create the groups from realm in OpenShift as well (default yes)
#
# rhbk:
#   namespace:        namespace to deploy to (keycloak)
#   name:             name of the instance (sso)
#   fqdn:             fqdn of the route (hostname), detected if omitted
#   realm:            name of the realm (sample-realm)
#   clients:[]        a list of clients in the realm, must include openshift.rhbk_client_id
#   groups:[]         groups to create, this time create them in OpenShift
#
# TODO: prerequisite check:
#   - either a fqdn or an existing keycloak resource coordinates
#   - admin credentials
#
# TODO: console.spec.authentication.logoutRedirect (config.openshift.io/v1)
#   should be patched with a logout URL
#
- name: Check that the ingresscontroller's defaultCertificate is set
  kubernetes.core.k8s_info:
    kubeconfig: tmp/kubeconfig-ocp4
    validate_certs: no
    api_version: operator.openshift.io/v1
    kind: ingresscontroller
    namespace: openshift-ingress-operator
    name: default
  register: ingress_ca

- name: Get the router's default CA content
  kubernetes.core.k8s_info:
    kubeconfig: tmp/kubeconfig-ocp4
    validate_certs: no
    api_version: v1
    kind: secret
    namespace: openshift-config
    name: "{{ ingress_ca.resources[0].spec.defaultCertificate.name }}"
  register: ingress_ca

- name: Store the CA cert as an actual fact
  ansible.builtin.set_fact:
    ingress_ca: "{{ ingress_ca.resources[0].data['tls.crt'] }}"

- name: Check on oauth/cluster
  kubernetes.core.k8s_info:
    kubeconfig: tmp/kubeconfig-ocp4
    validate_certs: no
    api_version: config.openshift.io/v1
    kind: oauth
    name: cluster
  register: cluster_auth

- ansible.builtin.assert:
    that:
      - (cluster_auth.resources | length) == 1
      - (cluster_auth.resources[0].spec.identityProviders | length) >= 1
      - cluster_auth.resources[0].spec.identityProviders[0].type == "HTPasswd"
    fail_msg: "ERROR: OpenShift cluster authentication is not configured correctly."
    success_msg: "OK: OpenShift cluster authentication is configured correctly."

- name: If there is no FQDN, check what the default domain of the cluster is.
  kubernetes.core.k8s_info:
    kubeconfig: tmp/kubeconfig-ocp4
    validate_certs: no
    api_version: operator.openshift.io/v1
    kind: ingresscontroller
    namespace: openshift-ingress-operator
    name: default
  register: default_ingress
  when: rhbk.fqdn is not defined

- name: Set a fact that reflects either the FQDN as set, or a composition of vars and default ingress info.
  ansible.builtin.set_fact:
    rhbk_fqdn: "{{ rhbk.fqdn | default((rhbk.name | default('sso')) + '-' + (rhbk.namespace | default('keycloak')) + '.' + default_ingress.resources[0].status.domain) }}"

- name: Announce what hostname would be used.
  ansible.builtin.debug:
    msg: Using "https://{{ rhbk_fqdn }}" as the hostname.

- name: Make certain router CA CM exists in openshift-config
  kubernetes.core.k8s:
    kubeconfig: tmp/kubeconfig-ocp4
    validate_certs: no
    api_version: v1
    kind: configmap
    namespace: openshift-config
    name: sso-ingress-ca
    definition:
      metadata:
        labels:
          app: sso
      data:
        ca.crt: "{{ ingress_ca | string | b64decode }}"

- name: Make certain client secret exists in openshift-config
  kubernetes.core.k8s:
    kubeconfig: tmp/kubeconfig-ocp4
    validate_certs: no
    api_version: v1
    kind: secret
    namespace: openshift-config
    name: sso-client-secret
    definition:
      metadata:
        labels:
          app: sso
      type: Opaque
      data:
        clientSecret: "{{ (rhbk | community.general.json_query('clients[?id==`' + (openshift.rhbk_client_id | default('openshift')) + '`].secret'))[0] | b64encode }}"

- name: Figure out what to do with oauth/cluster - option 1
  ansible.builtin.set_fact:
    oauth_op: add
    oauth_path: /spec/identityProviders/-
  when: (cluster_auth.resources[0].spec.identityProviders | length) == 1

- name: Figure out what to do with oauth/cluster - option 2
  ansible.builtin.set_fact:
    oauth_op: replace
    oauth_path: /spec/identityProviders/1
  when: (cluster_auth.resources[0].spec.identityProviders | length) == 2

- name: Patch oauth/cluster
  kubernetes.core.k8s_json_patch:
    kubeconfig: tmp/kubeconfig-ocp4
    validate_certs: no
    api_version: config.openshift.io/v1
    kind: oauth
    name: cluster
    patch:
      - op: "{{ oauth_op }}"
        path: "{{ oauth_path }}"
        value:
          name: oidc
          mappingMethod: claim 
          type: OpenID
          openID:
            clientID: "{{ openshift.rhbk_client_id | default('openshift') }}"
            clientSecret: 
              name: sso-client-secret
            ca:
              name: sso-ingress-ca
            claims: 
              preferredUsername:
              - preferred_username
              name:
              - name
              email:
              - email
              groups:
              - groups
            issuer: "https://{{ rhbk_fqdn }}/realms/{{ rhbk.realm | default('sample-realm') }}"
  register: patched_oauth

- name: Wait for OAuth to rollout if the resource was patched.
  block:
    - name: Wait for co/authentication to start progressing.
      kubernetes.core.k8s_info:
        kubeconfig: tmp/kubeconfig-ocp4
        validate_certs: no
        api_version: config.openshift.io/v1
        kind: clusteroperator
        name: authentication
      register: co_auth
      until:
        - co_auth.resources is defined
        - co_auth.resources | length == 1
        - ((co_auth.resources[0].status | community.general.json_query('conditions[?type==`Progressing`].status'))[0] | bool)
      retries: 60
      delay: 5

    - name: Wait for co/authentication to finish progressing.
      kubernetes.core.k8s_info:
        kubeconfig: tmp/kubeconfig-ocp4
        validate_certs: no
        api_version: config.openshift.io/v1
        kind: clusteroperator
        name: authentication
      register: co_auth
      until:
        - co_auth.resources is defined
        - co_auth.resources | length == 1
        - not ((co_auth.resources[0].status | community.general.json_query('conditions[?type==`Progressing`].status'))[0] | bool)
      retries: 60
      delay: 5

  when: patched_oauth.changed

- name: Ensure OpenShift groups are there as well.
  kubernetes.core.k8s:
    kubeconfig: tmp/kubeconfig-ocp4
    validate_certs: no
    api_version: user.openshift.io/v1
    kind: group
    name: "{{ item }}"
  loop: "{{ rhbk.groups }}"
...